AN - 0000104/2021: Difference between revisions
(→Facts) |
No edit summary |
||
| Line 66: | Line 66: | ||
}} | }} | ||
A Spanish Court annuled a millionaire fine imposed on BBVA. It held that the DPA violated principles of the sanctioning procedure, as there was a disconnection between the original complaints and the investigation on the bank's privacy policy. | A Spanish Court annuled a millionaire fine imposed on BBVA. It held that the DPA violated principles of the sanctioning procedure, as there was a disconnection between the facts reported in original complaints and the investigation on the bank's privacy policy. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 11 December 2020, the Spanish DPA jointly decided on 5 complaints made by different data subjects against BBVA | On 11 December 2020, the Spanish DPA (AEPD) jointly decided on 5 complaints made by different data subjects against BBVA[[AEPD - PS/00070/2019|PS/00070/2019]]). In short, of the 5 complaints: 1 concerned the obligation to sign a privacy policy document to unblock a bank account; 1 referred to the validity of the consent obtained through agreement with the privacy policy document; another 3 were related to receiving advertising messages without consent (which the bank claimed to have collected through the privacy policy document that the clients signed). | ||
At the end of the procedures, the | At the end of the procedures, the AEPD found a violation of [[Article 6 GDPR|Article 6]] and imposed a fine of €3.000.000. Due to the absence of clear information in the bank's privacy policy document, it also found a violation of Article [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]] and imposed a fine of €2.000.000. Moreover, the AEPD ordered BBVA to adapt its processing operations to the GDPR as well as the information provided to its clients and the procedure through which consent was obtained. In its decision, the AEPD considered that although the complaints referred to specific and individualized behaviors in relation to certain natural persons, the violations transcended said complaints. Since the privacy policy document was being used to ilegally obtain consent from its customers, the AEPD found that the document itself infringed the GDPR, affecting all the bank's clients. | ||
The bank filed a judicial appeal against the | The bank filed a judicial appeal against the AEPD decision. The main claim was that there was a total disconnection between the object of the procedure initiated by the DPA and the complaints made by the data subjects. It argued that the AEPD used specific and individual facts to initiate a sort of general review of BBVA's performance. Therefore, it sustained that the AEPD exceeded the scope of the complaints by linking them with the bank's general policy on data protection. | ||
=== Holding === | === Holding === | ||
In handling the bank's main claim, the Court stressed that [[Article 57 GDPR#1f|Article 57 (1)(f) GDPR]] enables DPAs to handle complaints lodged by data subjects and investigate, to the extent appropriate, the subject matter of the complaint. However, it does not allow the DPA to open a sanctioning proceeding against the controller as a result of the complaint. In its reasoning, it refers to the decision of 23 April 2019 (Rec. 88/2017), which defined criteria for the application of the principles of sanctioning administrative law within the scope of the DPAs. | |||
In the case at hand, the judges agreed that the AEPD failed: a) to examine the facts reported in the complaints; b) to make an assessment of the evidence in relation to those facts; and c) to link the facts to the privacy policy document. Rather, they found that the AEPD used these facts to open a sort of general investigation on the privacy policy document. In the Court's view, the allusion to the bank's privacy policy in relation to certain facts empowers the DPA only to investigate said facts or the "subject matter of the complaint" as indicated in the aforementioned article. | |||
Furthermore, the Court highlighted the relevance of the principle of legality, provided for in Article 25(1) of the [https://www.boe.es/buscar/pdf/1978/BOE-A-1978-31229-consolidado.pdf Spanish Constitution], within the scope of sanctioning administrative procedures. It referred to a Supreme Court precedent according to which this principle "is translated into the imperative requirement of normative predetermination of illegal behaviors and the corresponding sanctions". In the case under analysis, the National Court understood that the mere existence of a privacy policy does not correspond to any concrete violation. Since the GDPR do not punish potential violations, it was not possible to impose a fine. | |||
Furthermore, the Court | |||
Finally, the Court held that the evaluation of the evidence by the DPA must be carried out in compliance with the principle of the presumption of innocence, which limits its action to the facts proven in the course of the procedure. In its understanding, the facts do not lead to the conclusion that the privacy policy violated the rights of an entire universe of consumers, not least because a small number of complaints cannot be taken as representative of thousands of bank clients. | Finally, the Court held that the evaluation of the evidence by the DPA must be carried out in compliance with the principle of the presumption of innocence, which limits its action to the facts proven in the course of the procedure. In its understanding, the facts do not lead to the conclusion that the privacy policy violated the rights of an entire universe of consumers, not least because a small number of complaints cannot be taken as representative of thousands of bank clients. | ||
Revision as of 13:38, 19 April 2023
| AN - 0000104/2021 | |
|---|---|
 | |
| Court: | AN (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 57(1)(f) GDPR Article 63(1) Law 39/2015 Articles 63(2) and 65(2) |
| Decided: | 23.12.2022 |
| Published: | |
| Parties: | BBVA |
| National Case Number/Name: | 0000104/2021 |
| European Case Law Identifier: | |
| Appeal from: | AEPD (Spain) PS/00070/2019 |
| Appeal to: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | Audiencia Nacional (in Spanish) |
| Initial Contributor: | Bernardo Armentano |
A Spanish Court annuled a millionaire fine imposed on BBVA. It held that the DPA violated principles of the sanctioning procedure, as there was a disconnection between the facts reported in original complaints and the investigation on the bank's privacy policy.
English Summary
Facts
On 11 December 2020, the Spanish DPA (AEPD) jointly decided on 5 complaints made by different data subjects against BBVAPS/00070/2019). In short, of the 5 complaints: 1 concerned the obligation to sign a privacy policy document to unblock a bank account; 1 referred to the validity of the consent obtained through agreement with the privacy policy document; another 3 were related to receiving advertising messages without consent (which the bank claimed to have collected through the privacy policy document that the clients signed).
At the end of the procedures, the AEPD found a violation of Article 6 and imposed a fine of €3.000.000. Due to the absence of clear information in the bank's privacy policy document, it also found a violation of Article 13 and 14 GDPR and imposed a fine of €2.000.000. Moreover, the AEPD ordered BBVA to adapt its processing operations to the GDPR as well as the information provided to its clients and the procedure through which consent was obtained. In its decision, the AEPD considered that although the complaints referred to specific and individualized behaviors in relation to certain natural persons, the violations transcended said complaints. Since the privacy policy document was being used to ilegally obtain consent from its customers, the AEPD found that the document itself infringed the GDPR, affecting all the bank's clients.
The bank filed a judicial appeal against the AEPD decision. The main claim was that there was a total disconnection between the object of the procedure initiated by the DPA and the complaints made by the data subjects. It argued that the AEPD used specific and individual facts to initiate a sort of general review of BBVA's performance. Therefore, it sustained that the AEPD exceeded the scope of the complaints by linking them with the bank's general policy on data protection.
Holding
In handling the bank's main claim, the Court stressed that Article 57 (1)(f) GDPR enables DPAs to handle complaints lodged by data subjects and investigate, to the extent appropriate, the subject matter of the complaint. However, it does not allow the DPA to open a sanctioning proceeding against the controller as a result of the complaint. In its reasoning, it refers to the decision of 23 April 2019 (Rec. 88/2017), which defined criteria for the application of the principles of sanctioning administrative law within the scope of the DPAs.
In the case at hand, the judges agreed that the AEPD failed: a) to examine the facts reported in the complaints; b) to make an assessment of the evidence in relation to those facts; and c) to link the facts to the privacy policy document. Rather, they found that the AEPD used these facts to open a sort of general investigation on the privacy policy document. In the Court's view, the allusion to the bank's privacy policy in relation to certain facts empowers the DPA only to investigate said facts or the "subject matter of the complaint" as indicated in the aforementioned article.
Furthermore, the Court highlighted the relevance of the principle of legality, provided for in Article 25(1) of the Spanish Constitution, within the scope of sanctioning administrative procedures. It referred to a Supreme Court precedent according to which this principle "is translated into the imperative requirement of normative predetermination of illegal behaviors and the corresponding sanctions". In the case under analysis, the National Court understood that the mere existence of a privacy policy does not correspond to any concrete violation. Since the GDPR do not punish potential violations, it was not possible to impose a fine.
Finally, the Court held that the evaluation of the evidence by the DPA must be carried out in compliance with the principle of the presumption of innocence, which limits its action to the facts proven in the course of the procedure. In its understanding, the facts do not lead to the conclusion that the privacy policy violated the rights of an entire universe of consumers, not least because a small number of complaints cannot be taken as representative of thousands of bank clients.
Therefore, the Court annulled the DPA's decision holding that it was not in accordance with the law.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database will be able to consult the documents as long as they do so for their private use. The use of the database for commercial purposes is not allowed, nor is the massive download of information. The reuse of this information for the preparation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may lead to the adoption of the appropriate legal measures.
